CN106161378A - Security service device, method and business processing device, method and system - Google Patents
Security service device, method and business processing device, method and system Download PDFInfo
- Publication number
- CN106161378A CN106161378A CN201510172914.0A CN201510172914A CN106161378A CN 106161378 A CN106161378 A CN 106161378A CN 201510172914 A CN201510172914 A CN 201510172914A CN 106161378 A CN106161378 A CN 106161378A
- Authority
- CN
- China
- Prior art keywords
- security
- strategy
- service
- client
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention provides a kind of security service device, method and business processing device, method and system.The method includes: after client certificate success, the security request sent according to client, and the current application scene and the level of security that obtain client in real time arrange parameter and identify as strategy;Identify according to strategy, mate in the policy library pre-seted, determine the security strategy that strategy mark is corresponding, and be issued to the Service Processing Module of the business processing device of client and cloud computing safety service system;According to fixed security strategy, provide corresponding security service ability to client and/or business processing device;Resource usage amount when monitoring security service ability is called by the business processing device of cloud computing safety service system, and according to resource Freight Basis, resource usage amount is carried out charging.This programme formulates the security strategy of differentiation by strategy mark, thus provides corresponding security service, meets the personalized secure demand of user and business.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of security service device, method and industry
Business processing means, method and system.
Background technology
Cloud computing developed rapidly in recent years, either the Internet manufacturer and operator, or communication manufacturer
With basic network operator, all cloud computing is shown concern greatly.
The cloud computing of narrow sense refers to the payment of Internet technology (IT, Internet Technology) infrastructure
With the pattern of use, refer to the resource needed for being obtained with on-demand, easy extension way by network;The cloud meter of broad sense
Refer to payment and the use pattern of service at last.The form of this service is based on the number having superpower computing capability
According to center, the computing capability provided by it, thus run the service of various customization, provided by the Internet
To user.And this is the extensive of dynamic expansion characteristic and Intel Virtualization Technology with the difference of common network service
Application.
Cloud computing has ultra-large, virtualization, the advantage such as safe and reliable.For Virtual network operator,
Owing to cloud computing uses Dynamic Resource Allocation for Multimedia and expansion technique, operation cost will be substantially reduced and become with Operation and Maintenance
This, thus reach the purpose of energy-saving and emission-reduction;In addition, operator can also expand the scope of operation, and
It is not merely limited to pipeline operation.Under cloud computing environment, all resources all can be runed, can
There is provided as service, including application program, software, platform, disposal ability, storage, network, calculating money
Source and other infrastructure etc..For a user, cloud computing makes user use network at any time, everywhere
Business is possibly realized, and user can need not great amount of investment and obtain the IT resource needed for operation business in addition,
IT resource can be rented completely according to the demand of oneself, as water, electricity are the same with coal gas, on-demand acquisition
And charging.
Cloud computing typically has three kinds of main service modes, and infrastructure i.e. services (IaaS, Infrastructure
As a Service), platform i.e. service (PaaS, Platform as a Service) and software i.e. service (SaaS,
Software as a Service).And according to the deployment mode of service, privately owned cloud, total cloud can be divided into again
And mixed cloud.
Under cloud computing scene, substantial amounts of user profile all concentrates on cloud computing provider, with traditional interconnection
Network service is compared, and its information is more concentrated, information assets is worth attack higher, that face also can be more.Cloud meter
Calculate the safety problem that faced relate to user information security (data integrity, concordance, privacy),
The audit of service and evidence, network condition safety, virtual machine environment safety, data center internal medium safety,
The fields such as management safety.Wherein, user seriously hinders cloud computing commercialization to the distrust of service provider's safety
Development, cause cloud computing commercialization to face many difficulties, cloud computing has become as safely cloud calculation service pattern
Extensive commercial most important bottleneck.
The resource of cloud business and cloud platform is under cloud computing environment, by shared resources.In the face of diversified demand and
Variation uses the user of environment, and the protection scheme of single safe class has been not suitable for cloud computing environment.Cloud
Calculate in the urgent need to there being new mechanism in safety, it is possible to for different business, different user provide fine granularity,
Personalized security solution, the purpose of dynamic differential security protection.And for this on-demand supply
Conception, corresponding, for different demands for security and COS, it is also desirable to resolving safely of differentiation
Scheme.And the security solution formulated for single business traditionally, it is impossible to adapt to cloud computing platform high
The characteristic that degree is shared.
Summary of the invention
It is an object of the invention to provide a kind of security service device, method and business processing device, method and
System, realizes the on-demand use of security service resource according to the demand of user and service personalization, effectively utilizes,
And the purpose of green energy conservation.
For reaching above-mentioned purpose, embodiments of the invention provide a kind of security service method, are applied to cloud computing
Safety service system, including:
After client certificate success, the security request sent according to client, obtain working as of client in real time
Front application scenarios and level of security arrange parameter and identify as strategy;
According to described strategy mark, mate in the policy library pre-seted, determine that described strategy mark is right
The security strategy answered, and it is issued to the business of the business processing device of client and cloud computing safety service system
Processing module;
According to fixed described security strategy, provide correspondence to client and/or described business processing device
Security service ability;
Resource when monitoring security service ability is called by the business processing device of cloud computing safety service system
Usage amount, and according to resource Freight Basis, described resource usage amount is carried out charging.
Wherein, after client certificate success, the security request sent according to client, obtain client in real time
The current application scene of end and level of security arrange the step that parameter identifies as strategy and include:
Receive the security request that client sends, obtain the security parameter of user setup as the first level of security
Parameter is set;
According to described security request, obtain client traffic classification and parameter is set as the second level of security.
Wherein, according to described strategy mark, mate in the policy library pre-seted, determine described in correspondence
The security strategy of strategy mark, and it is issued to client and the business processing device of cloud computing safety service system
The step of Service Processing Module include:
According to the strategy mark got, mate in policy library, find the peace of corresponding described strategy mark
Full strategy;Wherein, the security strategy in described policy library is that strategically mark and the corresponding of security strategy are closed
System pre-sets storage;
Fixed described security strategy is issued at the business of client and cloud computing safety service system
The Service Processing Module of reason device.
When wherein, monitoring security service ability is called by the business processing device of cloud computing safety service system
Resource usage amount, and the step described resource usage amount being carried out charging according to resource Freight Basis includes:
When monitoring security service ability is called by the business processing device of cloud computing safety service system, described industry
Memory source, calculating resource and the usage amount of bandwidth resources that business processing module is consumed;
Memory source, calculating resource and the usage amount of bandwidth resources obtained according to monitoring, respectively according to correspondence
Memory source Freight Basis, calculate resource Freight Basis and broadband resource Freight Basis and carry out charging.
Wherein, to be client according to the classification of the service quality QoS of itself arranged described class of service determines
's;Described current application scene is that client is according to internet protocol address own and access point position
Determine.
Wherein, described security service ability at least includes: encryption, certification, integrity, cloud vulnerability scanning,
Cloud checking and killing virus, key management, ciphertext storage, service traffics cleaning, intrusion detection, data isolation and extensive
One or more in Fu.
For reaching above-mentioned purpose, embodiments of the invention additionally provide a kind of security service device, are applied to cloud
Calculate safety service system, including:
Strategy identifier acquisition module, for after client certificate success, asks according to the safety that client sends
Asking, the current application scene and the level of security that obtain client in real time arrange parameter and identify as strategy;
Strategy determines module, for according to described strategy mark, mating in the policy library pre-seted,
Determine the security strategy that described strategy mark is corresponding, and be issued to client and cloud computing safety service system
The Service Processing Module of business processing device;
Security capabilities module, for according to fixed described security strategy, to client and/or described industry
Business processing means provides corresponding security service ability;
Accounting module, for monitoring the security service ability business processing device by cloud computing safety service system
Resource usage amount when calling, and according to resource Freight Basis, described resource usage amount is carried out charging.
Wherein, described strategy identifier acquisition module includes:
First strategy mark obtains submodule, for receiving the security request that client sends, obtains user and sets
The security parameter put arranges parameter as the first level of security;
Second strategy mark obtains submodule, for according to described security request, obtains client traffic classification
As the second level of security, parameter is set.
Wherein, described strategy determines that module includes:
Strategy determines submodule, for according to the strategy mark got, mating, find in policy library
The security strategy of corresponding described strategy mark;Wherein, the security strategy in described policy library is strategically to mark
Know and the corresponding relation of security strategy pre-sets storage;
Policy distribution submodule, for being issued to client and cloud computing peace by fixed described security strategy
The Service Processing Module of the business processing device of full service system.
Wherein, described accounting module includes:
Resource consumption monitoring submodule, for monitoring the security service ability industry by cloud computing safety service system
Memory source, calculating resource and the usage amount of bandwidth resources when business processing means is called;
Charging submodule, for the memory source obtained according to monitoring, calculates resource and the use of bandwidth resources
Amount, respectively according to corresponding memory source Freight Basis, calculating resource Freight Basis and broadband resource charging mark
Standard carries out charging.
Wherein, to be client according to the classification of the service quality QoS of itself arranged described class of service determines
's;Described current application scene is that client is according to internet protocol address own and access point position
Determine.
Wherein, described security service ability at least includes: encryption, certification, integrity, cloud vulnerability scanning,
Cloud checking and killing virus, key management, ciphertext storage, service traffics cleaning, intrusion detection, data isolation and extensive
One or more in Fu.
For reaching above-mentioned purpose, the embodiment of the present invention additionally provides a kind of business processing device, is applied to cloud meter
Calculate safety service system, including:
Authentication module, for receiving the certification request of client, and uses client according to described certification request
Family is authenticated;
Service Processing Module, for the safety determined according to the security service device of cloud computing safety service system
Strategy calls security service ability, processes user service data.
Wherein, described process at least includes: to receiving the deciphering of data, to sending the encryption of data, data
One or more in isolation or data recovery.
For reaching above-mentioned purpose, embodiments of the invention additionally provide a kind of method for processing business, are applied to cloud
Calculate safety service system, including:
Receive the certification request of client, and according to described certification request, client user is authenticated;
The security strategy that security service device according to cloud computing safety service system determines calls security service
Ability, carries out safe handling to user service data.
For reaching above-mentioned purpose, embodiments of the invention additionally provide a kind of cloud computing safety service system, bag
Include security service device as above and business processing device as above.
Having the beneficial effect that of the technique scheme of the present invention:
The security service method of the embodiment of the present invention, after client certificate success, can send according to client
Security request, obtain the plan including that the current application scene of client and level of security arrange parameter in real time
Slightly identify.The security strategy being arranged parameter determination by the current application scene of client and level of security can body
Existing user and the individual demand of business, so, it is right just can to determine in policy library according to this strategy mark
Should the security strategy of strategy mark, and be issued to client and the Business Processing of cloud computing safety service system
The Service Processing Module of device.Subsequently, carry this security strategy in client and/or business processing device to adjust
During by corresponding security service ability, provide it required security service ability according to this security strategy, logical
Cross strategy mark and formulate the security strategy of differentiation, thus corresponding security service is provided, meet user and industry
The personalized secure demand of business.Then at the monitoring security service ability business by cloud computing safety service system
Resource usage amount when reason device calls, and according to resource Freight Basis, resource usage amount is carried out charging, by
In carrying out charging according to resource usage amount, it is ensured that effective utilization of resource, reach the purpose of green energy conservation.
Accompanying drawing explanation
Fig. 1 represents the structural representation of the security service device of the embodiment of the present invention;
Fig. 2 represents the security service device charge mode of the embodiment of the present invention;
Fig. 3 represents that video conference realizes the flow chart of security service;
What Fig. 4 represented the security service device of the embodiment of the present invention realizes framework;
Fig. 5 represents the flow chart of steps of the security service method of the embodiment of the present invention.
Detailed description of the invention
For making the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with attached
Figure and specific embodiment are described in detail.
The present invention is directed to existing safety shield safe class single, it is impossible to according to user and business individual character
The demand changed carries out adaptive adjustment, it is impossible to the problem adapting to the characteristic of cloud computing platform shared resources, carries
For a kind of security service device, realize according to the demand of user and service personalization that security service resource is on-demand to be made
With, effectively utilize, and the purpose of green energy conservation.
As it is shown in figure 1, a kind of security service device of the embodiment of the present invention, it is applied to cloud computing security service
System, including:
Strategy identifier acquisition module 10, for after client certificate success, according to the peace of client transmission
Full request, the current application scene and the level of security that obtain client in real time arrange parameter and identify as strategy;
Strategy determines module 20, for according to described strategy mark, carrying out in the policy library pre-seted
Join, determine the security strategy that described strategy mark is corresponding, and be issued to client and cloud computing security service system
The Service Processing Module of the business processing device of system;
Security capabilities module 30, for according to fixed described security strategy, to client and/or described
Business processing device provides corresponding security service ability;
Accounting module 40, for monitoring the security service ability Business Processing by cloud computing safety service system
Resource usage amount when device calls, and according to resource Freight Basis, described resource usage amount is carried out charging.
First, there is the client user enjoying security service, just provide it security service, client meeting
First initiating certification to business processing device, after client certificate success, the safety that user can carry out being correlated with is joined
Put such as service security requirement (or perhaps importance etc. of business information), and strategy identifier acquisition module 10
After client certificate success, the security request that will send according to client, carry out acquisition strategy mark, should
Strategy mark uses the current application scene of client and level of security to arrange parameter.Currently should by client
(security configuration parameter is cloud computing safety clothes to arrange the security strategy of parameter determination with scene and level of security
Configuration parameter needed for business service implementation differentiation security protection ordered by system of users) use can be embodied
Family and the individual demand of business, so, strategy determines that module 20 just can be in plan according to this strategy mark
Slightly storehouse determines to should the security strategy of strategy mark, and be issued to client and cloud computing security service system
The Service Processing Module of the business processing device of system.Subsequently, carry in client and/or business processing device
This security strategy call correspondence security service ability time, security capabilities module 30 according to this security strategy to
Security service ability needed for its offer.
In the security service device of the embodiment of the present invention, also include accounting module 40, monitor security service
Resource usage amount when ability is called by the business processing device of cloud computing safety service system, and according to resource
Freight Basis carries out charging to resource usage amount.The business processing device of cloud computing safety service system calls peace
Full ability module, security capabilities module starts and the business ordered by user is carried out differentiation security protection, just
Needing to consume certain resource, accounting module 40 is monitored statistics to the resource usage amount consumed, can
To be realized by monitoring security capabilities module, and carry out charging according to predetermined expenses standard.
The security service device of the embodiment of the present invention formulates the security strategy of differentiation by strategy mark, thus
Corresponding security service is provided, meets the personalized secure demand of user and business, make according to resource meanwhile
Consumption carries out charging, it is ensured that effective utilization of resource, reaches the purpose of green energy conservation.
In an embodiment of the present invention, user can carry out the self-defined of security parameter before sending security request
Arranging, therefore, described security request includes the security parameter of user setup;
Described strategy identifier acquisition module 10 includes:
First strategy mark obtains submodule 101, for receiving the security request that client sends, obtains and uses
The security parameter that family is arranged arranges parameter as the first level of security;
Second strategy mark obtains submodule 102, for according to described security request, obtains client traffic classification
As the second level of security, parameter is set.
Meet needs owing to arrange rational safe class according to the demand of user, therefore the first strategy mark obtains
Take submodule 101 to obtain the security parameter of user setup in security request and arrange as the first level of security
Parameter.And different classs of service, it is also desirable to rational level of security, level of security consider class of service
The safety adverse effect to service quality can be reduced as far as possible, therefore the second strategy mark obtains submodule 102 meeting root
According to security request, obtain client traffic classification and parameter is set as the second level of security.Have again it is known that
The current application scene (client accesses network environment residing during cloud business) of different clients is as wireless
3G net (airport), home network, office network etc., required safeguard protection is different, therefore also wraps
Include the 3rd strategy mark and obtain submodule 103 meeting according to described security request, the current application of acquisition client
Scene.Arranged parameter by the first level of security, the second level of security arranges parameter and current application scene conduct
Strategy mark, it is possible to have more determine targetedly personalization, differentiation, the security strategy of customization and then
Carry out safeguard protection, meet user and service needed.
Wherein, to be client according to the classification of the service quality QoS of itself arranged described class of service determines
's;Described current application scene is that client is according to internet protocol address own and access point position
Determine.
Certainly, strategy mark is not limited in the three class data that the embodiment of the present invention is previously mentioned, it is contemplated that other
It is also within the scope of the present invention that data in addition to the above-mentioned type are identified by factor as strategy.
After strategy identifier acquisition module 10 obtains strategy mark, so that it may determined that module 20 determines by strategy
For user and the security strategy of business.In an embodiment of the present invention, described strategy determines module 20
Including:
Strategy determines submodule 201, for according to the strategy mark got, mating, look in policy library
Find the security strategy of corresponding described strategy mark;Wherein, the security strategy in described policy library is according to plan
The slightly corresponding relation of mark and security strategy pre-sets storage;
Policy distribution submodule 202, by being issued to fixed described security strategy based on client and cloud
Calculate the Service Processing Module of the business processing device of safety service system.
In policy library, security strategy is that the corresponding relation of strategically mark and security strategy pre-sets storage
, corresponding security strategy can be found by strategy mark, strategy determines that submodule 201 is with regard to energy
Enough according to the strategy mark got, coupling in policy library, find the safety corresponding with this strategy mark
Strategy.For fixed security strategy, policy distribution submodule 202 just can be issued to client
Service Processing Module with the business processing device of cloud computing safety service system.
Due to the corresponding relation between strategy mark and security strategy, may do according to user and business demand
Suitably adjusting, so, strategy determines that module 20 may also include policy management sub-module 203, strategy pipe
Reason submodule 203 can control and the security strategy in management strategy storehouse according to preset value, as readjusted strategy
Mark and the corresponding relation of security strategy, be increased or decreased a certain security strategy particular content etc..
After security strategy issues, client and/or business processing device according to this security strategy at security capabilities
Module calls the security service ability of correspondence.
Wherein, described security service ability at least includes: encryption, certification, integrity, cloud vulnerability scanning,
Cloud checking and killing virus, key management, ciphertext storage, service traffics cleaning, intrusion detection, data isolation and extensive
One or more in Fu.
Security capabilities module realizes security service ability by the security protocol algorithm pre-seted, it is provided that differentiation
Security protection.
It should be appreciated that (security configuration parameter is cloud computing peace to security capabilities module acquisition security strategy
Full service system is to the configuration parameter needed for the service implementation differentiation security protection ordered by user) after, open
Dynamic associated safety protocol algorithm, to the service implementation security protection ordered by user.Security capabilities module provides
Security service ability can consume system resource, for more accurate charging, according to dissimilar resource by it
Corresponding Freight Basis calculates.In the security service device of the embodiment of the present invention, described resource includes internal memory
Resource, calculating resource and bandwidth resources;
Described accounting module 40 includes:
Resource consumption monitoring submodule 401, is used for monitoring security service ability by cloud computing safety service system
Business processing device memory source when calling, calculate resource and the usage amount of bandwidth resources;
Charging submodule 402, for the memory source obtained according to monitoring, calculating resource and bandwidth resources
Usage amount, respectively according to corresponding memory source Freight Basis, calculating resource Freight Basis and broadband resource meter
Expense standard carries out charging.
Charge mode as shown in Figure 2, when security capabilities module provides security service ability, is consumed
Resource type mainly has memory source, calculates resource and bandwidth resources, resource consumption monitoring submodule 401
The usage amount of its dissimilar resource consumed can be monitored, then by accounting module 402 according to dissimilar
The Freight Basis of resource carries out charging, calculates the expense consumed in each classification, so that it is determined that difference
Change the price level of security service.
The application of the security service device of the embodiment of the present invention is described below in conjunction with Fig. 3:
In this embodiment, user carries out video conference on airport by WIFI, due to the Business Stream of video conference
Measure feature is packet fixed size, constant rate of speed, low rate, and packet loss is the lowest, and time delay is the lowest,
Shake the lowest, be the priority class in class of service.
First client sends certification request S1 to the authentication module of business processing device.Afterwards, certification mould
The success of block return authentication is to client S2.After client certificate success, user carries out the security configuration being correlated with,
Security parameter requires transmission encryption, and client detects user configured security parameter automatically, fills to security service
The tactful identifier acquisition module put sends security request S3 of the security parameter carrying user setup.Strategy
After identifier acquisition module gets security request, can obtain client current application scene in real time (is currently
WIFI accesses) and class of service (video conference) S4, the strategy mark determined is sent to strategy and determines
Module S5.Strategy determines that module identifies according to strategy, mates, determine in the policy library pre-seted
Security strategy S6 of corresponding described strategy mark, and it is issued to client and cloud computing safety service system
Service Processing Module S7, S8 of business processing device.Client strategy safe to carry calls safe encryption and decryption
Ability, security capabilities module provides S9 to client, and initiates charging S10, accounting module monitoring resource
Type and service condition determine consumed resource usage amount and according to the resource Freight Basis money to described consumption
Source usage amount carries out charging S11.So, client initiates video conference, and video data is encrypted biography
Defeated S12.In business processing device, Service Processing Module strategy the most safe to carry calls safe encryption and decryption ability,
Security capabilities module provides S13 to client, and Service Processing Module is decrypted receiving data, to sending out
Send data to be encrypted S14, to client transmissions video data, video data be encrypted transmission S15,
Client is decrypted receiving data, and follow-up transmission data are encrypted S16.When client and industry
After business processing means connects, the data sent before the switch-off all use identical security strategy, without
Send data all to go to search security strategy every time.
After getting security request due to strategy identifier acquisition module, client current application field can be obtained in real time
Scape, at client scene changes, such as, has office space to access and moves to be accessed S17 by public place, need
The security strategy of higher intensity to be used, then security strategy to redefine.Current application scene changes, sends out
Send current application scene S18, strategy identifier acquisition module to get strategy mark change S19, send new
Strategy is identified to strategy and determines module S20, redefines new security strategy S21 according to new strategy mark,
And be issued to the business processing device of family end and cloud computing safety service system Service Processing Module S22,
S23, according to new security strategy, is encrypted transmission S24 to videoconference data, and now use adds
Close algorithm higher level may promote data transmission security.
When user is configured with data security protecting ability, client can by the business granularity of user setup certainly
The dynamic type of service field being mapped to IP packet, by using Differentiated Services Diffserv business framework,
Service Processing Module the most just can extract business granularity S25 of the data that will send, strategy
The strategy mark that identifier acquisition module now obtains is the S26 provided by Service Processing Module.Strategy determines mould
Tuber identifies according to strategy, mates, determine the safe plan that relative strategy identifies in the policy library pre-seted
Slightly S27, and it is issued to the Service Processing Module S28 of the business processing device of cloud computing safety service system.
Service Processing Module strategy safe to carry calls security capabilities, and security capabilities module provides to Service Processing Module
Carrying out safeguard protection S29, Service Processing Module carries out safeguard protection (recovery of data isolation, data, data
Encryption etc.) S30, security capabilities module initiates charging S31, accounting module monitoring resource type and use feelings
Condition determines consumed resource usage amount, and carries out the resource usage amount of described consumption according to resource Freight Basis
Charging S32.
In sum, the security service device of the embodiment of the present invention, as shown in Figure 4, strategy mark obtains mould
Block by by all kinds of means (user setup security parameter, current application scene, class of service and other) obtain phase
Close strategy mark;Strategy determines that module formulates the security strategy of differentiation according to strategy mark, pacifies simultaneously
The control of full strategy manages, issues execution;Security capabilities module provides safety clothes according to the security strategy determined
Business ability, thus provide corresponding security service, meets the personalized secure demand of user and business, meanwhile,
Accounting module carries out monitoring resource, carries out charging according to resource usage amount, it is ensured that effective utilization of resource,
Reach the purpose of green energy conservation.
As it is shown in figure 5, embodiments of the invention additionally provide a kind of security service method, it is applied to cloud computing
Safety service system, including:
Step 11, after client certificate success, the security request sent according to client, obtain in real time
The current application scene of client and level of security arrange parameter and identify as strategy;
Step 12, according to described strategy mark, mates in the policy library pre-seted, determines described
The security strategy that strategy mark is corresponding, and it is issued to client and the Business Processing of cloud computing safety service system
The Service Processing Module of device;
Step 13, according to fixed described security strategy, to client and/or described business processing device
Corresponding security service ability is provided;
Step 14, monitoring security service ability is called by the business processing device of cloud computing safety service system
Time resource usage amount, and according to resource Freight Basis, described resource usage amount is carried out charging.
Wherein, described security request includes the security parameter of user setup;
Step 11 includes:
Step 111, receives the security request that client sends, and obtains the security parameter of user setup as the
One level of security arranges parameter;
Step 112, according to described security request, obtains client traffic classification and sets as the second level of security
Put parameter.
Wherein, step 12 includes:
Step 121, according to the strategy mark got, mates in policy library, finds corresponding described plan
The security strategy slightly identified;Wherein, the security strategy in described policy library is strategically to identify and safe plan
Corresponding relation slightly pre-sets storage;
Step 122, is issued to client and cloud computing safety service system by fixed described security strategy
The Service Processing Module of business processing device.
Wherein, described resource includes memory source, calculates resource and bandwidth resources;
Step 14 includes:
Step 141, monitoring security service ability is called by the business processing device of cloud computing safety service system
Time memory source, calculate resource and the usage amount of bandwidth resources;
Step 142, memory source, calculating resource and the usage amount of bandwidth resources obtained according to monitoring, point
Do not carry out according to corresponding memory source Freight Basis, calculating resource Freight Basis and broadband resource Freight Basis
Charging.
Wherein, to be client according to the classification of the service quality QoS of itself arranged described class of service determines
's;Described current application scene is that client is according to internet protocol address own and access point position
Determine.
Wherein, described security service ability at least includes: encryption, certification, integrity, cloud vulnerability scanning,
Cloud checking and killing virus, key management, ciphertext storage, service traffics cleaning, intrusion detection, data isolation and extensive
One or more in Fu.
The security service method of the embodiment of the present invention, by by all kinds of means (user setup security parameter, currently should
With scene, class of service and other) obtain corresponding strategies mark;Differentiation is formulated afterwards according to strategy mark
Security strategy, carry out simultaneously security strategy control management, issue execution;And according to the safe plan determined
Security service ability is slightly provided, thus corresponding security service is provided, meet the personalized peace of user and business
Full demand, and carry out monitoring resource, carry out charging according to resource usage amount, it is ensured that effective profit of resource
With, reach the purpose of green energy conservation.
It should be noted that this security service method is the method being applied to above-mentioned security service device, above-mentioned
The implementation of security service device is applicable to the method, also can reach identical technique effect.
The embodiment of the present invention additionally provides a kind of business processing device, is applied to cloud computing safety service system,
Including:
Authentication module 50, for receiving the certification request of client, and asks client according to described certification
End subscriber is authenticated;
Service Processing Module 60, for determine according to the security service device of cloud computing safety service system
Security strategy calls security service ability, processes user service data.
Wherein, described process at least includes: to receiving the deciphering of data, to sending the encryption of data, data
One or more in isolation or data recovery.
The business processing device of the embodiment of the present invention, is applied to cloud computing safety service system, coordinates above-mentioned peace
Full service unit, the certification being received client by authentication module is asked, and is asked visitor according to described certification
Family end subscriber is authenticated;After certification is passed through, security service device formulates differentiation according to strategy mark
Security strategy, thus corresponding security service is provided, and Service Processing Module can call peace according to security strategy
Full service ability, processes user service data, meets the personalized secure demand of user and business.
It should be noted that this business processing device is to cooperate with the device of above-mentioned security service device, above-mentioned peace
The implementation of full service unit is applicable to this device, also can reach identical technique effect.
Embodiments of the invention additionally provide a kind of method for processing business, are applied to cloud computing safety service system,
Including:
Step 21, receives the certification request of client, and enters client user according to described certification request
Row certification;
Step 22, calls according to the security strategy that the security service device of cloud computing safety service system determines
Security service ability, carries out safe handling to user service data.
Wherein, described process at least includes: to receiving the deciphering of data, to sending the encryption of data, data
One or more in isolation or data recovery.
This method for processing business is applied to cloud computing safety service system, coordinates above-mentioned security service device, logical
Cross the certification request receiving client, and according to described certification request, client user is authenticated;Recognizing
Card is by rear, and security service device formulates the security strategy of differentiation according to strategy mark, thus provides corresponding
Security service, so that it may call security service ability according to security strategy, user service data processed,
Meet the personalized secure demand of user and business.
It should be noted that this method for processing business is the method being applied to above-mentioned business processing device, above-mentioned
The implementation of business processing device is applicable to the method, also can reach identical technique effect.
Embodiments of the invention additionally provide a kind of cloud computing safety service system, including safety as above
Service unit and business processing device as above.
This cloud computing safety service system, business processing device please according to the certification that the client received sends
Ask, client is authenticated;Security service device, after client certificate success, sends according to client
Security request, the current application scene and the level of security that obtain in real time client arrange parameter, right determining
After the security strategy answered, issue security strategy;Security service device can according to security strategy to client and
/ or business processing device corresponding security capabilities is provided, and monitor business processing device and call security service energy
The resource usage amount consumed during power, carries out charging according to resource Freight Basis;Business processing device is by adjusting
Use security service ability, user service data is carried out safe handling.This system meets user and business
Personalized secure demand, can carry out monitoring resource simultaneously, carry out charging according to resource usage amount, it is ensured that
Effective utilization of resource, reaches the purpose of green energy conservation.
The above is the preferred embodiment of the present invention, it is noted that for the common skill of the art
For art personnel, on the premise of without departing from principle of the present invention, it is also possible to make some improvements and modifications,
These improvements and modifications also should be regarded as protection scope of the present invention.
Claims (16)
1. a security service method, is applied to cloud computing safety service system, it is characterised in that including:
After client certificate success, the security request sent according to client, obtain working as of client in real time
Front application scenarios and level of security arrange parameter and identify as strategy;
According to described strategy mark, mate in the policy library pre-seted, determine that described strategy mark is right
The security strategy answered, and it is issued to the business of the business processing device of client and cloud computing safety service system
Processing module;
According to fixed described security strategy, provide correspondence to client and/or described business processing device
Security service ability;
Resource when monitoring security service ability is called by the business processing device of cloud computing safety service system
Usage amount, and according to resource Freight Basis, described resource usage amount is carried out charging.
Security service method the most according to claim 1, it is characterised in that become at client certificate
After merit, the security request sent according to client, obtain current application scene and the safe level of client in real time
Do not arrange the step that parameter identifies as strategy to include:
Receive the security request that client sends, obtain the security parameter of user setup as the first level of security
Parameter is set;
According to described security request, obtain client traffic classification and parameter is set as the second level of security.
Security service method the most according to claim 1, it is characterised in that according to described strategy mark
Know, mate in the policy library pre-seted, determine the security strategy of corresponding described strategy mark, and under
Send to the step bag of the Service Processing Module of the business processing device of client and cloud computing safety service system
Include:
According to the strategy mark got, mate in policy library, find the peace of corresponding described strategy mark
Full strategy;Wherein, the security strategy in described policy library is that strategically mark and the corresponding of security strategy are closed
System pre-sets storage;
Fixed described security strategy is issued at the business of client and cloud computing safety service system
The Service Processing Module of reason device.
Security service method the most according to claim 1, it is characterised in that monitoring security service energy
Resource usage amount when power is called by the business processing device of cloud computing safety service system, and according to resource meter
The step that expense standard carries out charging to described resource usage amount includes:
When monitoring security service ability is called by the business processing device of cloud computing safety service system, described industry
Memory source, calculating resource and the usage amount of bandwidth resources that business processing module is consumed;
Memory source, calculating resource and the usage amount of bandwidth resources obtained according to monitoring, respectively according to correspondence
Memory source Freight Basis, calculate resource Freight Basis and broadband resource Freight Basis and carry out charging.
Security service method the most according to claim 2, it is characterised in that described class of service is
Client arranges according to the classification of service quality QoS itself and to determine;Described current application scene is visitor
Family end determines according to internet protocol address own and access point position.
Security service method the most according to claim 1, it is characterised in that described security service energy
Power at least includes: encryption, certification, integrity, cloud vulnerability scanning, cloud checking and killing virus, key management, close
One or more in literary composition storage, service traffics cleaning, intrusion detection, data isolation and recovery.
7. a security service device, is applied to cloud computing safety service system, it is characterised in that including:
Strategy identifier acquisition module, for after client certificate success, asks according to the safety that client sends
Asking, the current application scene and the level of security that obtain client in real time arrange parameter and identify as strategy;
Strategy determines module, for according to described strategy mark, mating in the policy library pre-seted,
Determine the security strategy that described strategy mark is corresponding, and be issued to client and cloud computing safety service system
The Service Processing Module of business processing device;
Security capabilities module, for according to fixed described security strategy, to client and/or described industry
Business processing means provides corresponding security service ability;
Accounting module, for monitoring the security service ability business processing device by cloud computing safety service system
Resource usage amount when calling, and according to resource Freight Basis, described resource usage amount is carried out charging.
Security service device the most according to claim 7, it is characterised in that described strategy mark obtains
Delivery block includes:
First strategy mark obtains submodule, for receiving the security request that client sends, obtains user and sets
The security parameter put arranges parameter as the first level of security;
Second strategy mark obtains submodule, for according to described security request, obtains client traffic classification
As the second level of security, parameter is set.
Security service device the most according to claim 7, it is characterised in that described strategy determines mould
Block includes:
Strategy determines submodule, for according to the strategy mark got, mating, find in policy library
The security strategy of corresponding described strategy mark;Wherein, the security strategy in described policy library is strategically to mark
Know and the corresponding relation of security strategy pre-sets storage;
Policy distribution submodule, for being issued to client and cloud computing peace by fixed described security strategy
The Service Processing Module of the business processing device of full service system.
Security service device the most according to claim 7, it is characterised in that described accounting module bag
Include:
Resource consumption monitoring submodule, for monitoring the security service ability industry by cloud computing safety service system
Memory source, calculating resource and the usage amount of bandwidth resources when business processing means is called;
Charging submodule, for the memory source obtained according to monitoring, calculates resource and the use of bandwidth resources
Amount, respectively according to corresponding memory source Freight Basis, calculating resource Freight Basis and broadband resource charging mark
Standard carries out charging.
11. security service devices according to claim 8, it is characterised in that described class of service is
Client arranges according to the classification of service quality QoS itself and to determine;Described current application scene is visitor
Family end determines according to internet protocol address own and access point position.
12. security service devices according to claim 7, it is characterised in that described security service energy
Power at least includes: encryption, certification, integrity, cloud vulnerability scanning, cloud checking and killing virus, key management, close
One or more in literary composition storage, service traffics cleaning, intrusion detection, data isolation and recovery.
13. 1 kinds of business processing devices, are applied to cloud computing safety service system, it is characterised in that including:
Authentication module, for receiving the certification request of client, and uses client according to described certification request
Family is authenticated;
Service Processing Module, for the safety determined according to the security service device of cloud computing safety service system
Strategy calls security service ability, processes user service data.
14. business processing devices according to claim 13, it is characterised in that described process is at least
Including: to receiving the deciphering of data, to the one sent during the encryption of data, data isolation or data are recovered
Or it is multiple.
15. 1 kinds of method for processing business, are applied to cloud computing safety service system, it is characterised in that including:
Receive the certification request of client, and according to described certification request, client user is authenticated;
The security strategy that security service device according to cloud computing safety service system determines calls security service
Ability, carries out safe handling to user service data.
16. 1 kinds of cloud computing safety service systems, it is characterised in that include such as claim 7 to 12 times
One described security service device and the business processing device as described in claim 13 or 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172914.0A CN106161378A (en) | 2015-04-13 | 2015-04-13 | Security service device, method and business processing device, method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172914.0A CN106161378A (en) | 2015-04-13 | 2015-04-13 | Security service device, method and business processing device, method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106161378A true CN106161378A (en) | 2016-11-23 |
Family
ID=57335884
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510172914.0A Pending CN106161378A (en) | 2015-04-13 | 2015-04-13 | Security service device, method and business processing device, method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106161378A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108400897A (en) * | 2018-05-04 | 2018-08-14 | 新华三大数据技术有限公司 | network security configuration method and device |
| CN109120575A (en) * | 2017-06-22 | 2019-01-01 | 大唐移动通信设备有限公司 | A kind of configuration method and device of security strategy |
| WO2019090492A1 (en) * | 2017-11-07 | 2019-05-16 | Oppo广东移动通信有限公司 | Data processing method and network device |
| CN109962886A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | The detection method and device that the network terminal threatens |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| CN110443059A (en) * | 2018-05-02 | 2019-11-12 | 中兴通讯股份有限公司 | Data guard method and device |
| CN110472930A (en) * | 2019-07-24 | 2019-11-19 | 阿里巴巴集团控股有限公司 | For going out the method, system and calculating equipment of gold management |
| CN111488182A (en) * | 2020-04-13 | 2020-08-04 | 北京字节跳动网络技术有限公司 | System configuration method, device, equipment and storage medium |
| CN111767149A (en) * | 2020-06-29 | 2020-10-13 | 百度在线网络技术(北京)有限公司 | Scheduling method, device, equipment and storage equipment |
| CN114268508A (en) * | 2021-12-30 | 2022-04-01 | 天翼物联科技有限公司 | Internet of things equipment secure access method, device, equipment and medium |
| US11317291B2 (en) | 2018-03-15 | 2022-04-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| CN114765552A (en) * | 2021-01-04 | 2022-07-19 | 航天信息股份有限公司 | Data processing method, middle station system, storage medium and electronic equipment |
| CN115589321A (en) * | 2022-10-11 | 2023-01-10 | 中国电信股份有限公司 | Security context isolation policy negotiation method, device, equipment and storage medium |
| US11755717B2 (en) | 2021-03-18 | 2023-09-12 | International Business Machines Corporation | Security compliance for a secure landing zone |
| CN117216758A (en) * | 2023-11-08 | 2023-12-12 | 新华三网络信息安全软件有限公司 | Application security detection system and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1798064A (en) * | 2004-12-30 | 2006-07-05 | 华为技术有限公司 | Method and system for guaranteeing safety of data service in wireless broadband access system |
| CN101146305A (en) * | 2006-09-13 | 2008-03-19 | 中兴通讯股份有限公司 | Configuration method of secure policy |
| CN102457560A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for safety management of cloud computing |
| CN102932382A (en) * | 2011-08-08 | 2013-02-13 | 中兴通讯股份有限公司 | Safety on-demand supply method and system, and service type acquisition method |
| US20140090014A1 (en) * | 2005-11-22 | 2014-03-27 | Fortinet, Inc. | Policy-based content filtering |
-
2015
- 2015-04-13 CN CN201510172914.0A patent/CN106161378A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1798064A (en) * | 2004-12-30 | 2006-07-05 | 华为技术有限公司 | Method and system for guaranteeing safety of data service in wireless broadband access system |
| US20140090014A1 (en) * | 2005-11-22 | 2014-03-27 | Fortinet, Inc. | Policy-based content filtering |
| CN101146305A (en) * | 2006-09-13 | 2008-03-19 | 中兴通讯股份有限公司 | Configuration method of secure policy |
| CN102457560A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Method and system for safety management of cloud computing |
| CN102932382A (en) * | 2011-08-08 | 2013-02-13 | 中兴通讯股份有限公司 | Safety on-demand supply method and system, and service type acquisition method |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109120575A (en) * | 2017-06-22 | 2019-01-01 | 大唐移动通信设备有限公司 | A kind of configuration method and device of security strategy |
| WO2019090492A1 (en) * | 2017-11-07 | 2019-05-16 | Oppo广东移动通信有限公司 | Data processing method and network device |
| CN109962886B (en) * | 2017-12-22 | 2021-10-29 | 北京安天网络安全技术有限公司 | Method and device for detecting network terminal threat |
| CN109962886A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | The detection method and device that the network terminal threatens |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| CN110278556B (en) * | 2018-03-13 | 2021-11-12 | 中兴通讯股份有限公司 | Security authentication policy determination method, device and computer readable storage medium |
| US11722899B2 (en) | 2018-03-15 | 2023-08-08 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| US11317291B2 (en) | 2018-03-15 | 2022-04-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| CN110443059A (en) * | 2018-05-02 | 2019-11-12 | 中兴通讯股份有限公司 | Data guard method and device |
| CN108400897A (en) * | 2018-05-04 | 2018-08-14 | 新华三大数据技术有限公司 | network security configuration method and device |
| CN110472930A (en) * | 2019-07-24 | 2019-11-19 | 阿里巴巴集团控股有限公司 | For going out the method, system and calculating equipment of gold management |
| CN111488182B (en) * | 2020-04-13 | 2023-04-28 | 北京字节跳动网络技术有限公司 | System configuration method, device, equipment and storage medium |
| CN111488182A (en) * | 2020-04-13 | 2020-08-04 | 北京字节跳动网络技术有限公司 | System configuration method, device, equipment and storage medium |
| CN111767149A (en) * | 2020-06-29 | 2020-10-13 | 百度在线网络技术(北京)有限公司 | Scheduling method, device, equipment and storage equipment |
| CN111767149B (en) * | 2020-06-29 | 2024-03-05 | 百度在线网络技术(北京)有限公司 | Scheduling method, device, equipment and storage equipment |
| CN114765552A (en) * | 2021-01-04 | 2022-07-19 | 航天信息股份有限公司 | Data processing method, middle station system, storage medium and electronic equipment |
| CN114765552B (en) * | 2021-01-04 | 2023-11-07 | 航天信息股份有限公司 | Data processing method, medium system, storage medium and electronic equipment |
| US11755717B2 (en) | 2021-03-18 | 2023-09-12 | International Business Machines Corporation | Security compliance for a secure landing zone |
| CN114268508A (en) * | 2021-12-30 | 2022-04-01 | 天翼物联科技有限公司 | Internet of things equipment secure access method, device, equipment and medium |
| CN114268508B (en) * | 2021-12-30 | 2023-08-18 | 天翼物联科技有限公司 | Internet of things equipment security access method, device, equipment and medium |
| CN115589321A (en) * | 2022-10-11 | 2023-01-10 | 中国电信股份有限公司 | Security context isolation policy negotiation method, device, equipment and storage medium |
| CN117216758A (en) * | 2023-11-08 | 2023-12-12 | 新华三网络信息安全软件有限公司 | Application security detection system and method |
| CN117216758B (en) * | 2023-11-08 | 2024-02-23 | 新华三网络信息安全软件有限公司 | Application security detection system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106161378A (en) | Security service device, method and business processing device, method and system | |
| Alcaraz et al. | OCPP protocol: Security threats and challenges | |
| US9356967B2 (en) | Secure on-demand supply method and system and traffic type acquisition method | |
| US10042665B2 (en) | Customer premises equipment (CPE) with virtual machines for different service providers | |
| EP3780523A1 (en) | Network traffic identification method and related device | |
| US12034766B2 (en) | Method and system for providing edge service, and computing device | |
| TW201505464A (en) | Controlling method for sharing wireless data traffic and system thereof | |
| CN102457560B (en) | A kind of method for managing security of cloud computing and system | |
| CN105610989A (en) | Data traffic sharing method and system | |
| CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
| WO2016101595A1 (en) | Method, apparatus and system for accessing third-party resource through application | |
| CN109302397A (en) | A kind of network safety managing method, platform and computer readable storage medium | |
| CN107547680B (en) | Data processing method and device | |
| Sah et al. | A security management for cloud based applications and services with diameter-AAA | |
| Hamoudy et al. | Video security in Internet of things: an overview | |
| CN106161340A (en) | Service shunting method and system | |
| CN114095496A (en) | Terminal application processing method, edge cloud application server, system and medium | |
| Jimenez et al. | MHCP: multimedia hybrid cloud computing protocol and architecture for mobile devices | |
| CN107547478B (en) | Message transmission method, device and system | |
| Qiu et al. | A software-defined security framework for power IoT cloud-edge environment | |
| CN103338440B (en) | Authentication method in Verification System and equipment end | |
| US20160080276A1 (en) | Methods and arrangement for adapting quality of service for a private channel based on service awareness | |
| CN110198294A (en) | Security attack detection method and device | |
| WO2016165443A1 (en) | Method for protecting machine type communication device, network entity, and mtc device | |
| CN103188269A (en) | Method for controlling user access permission in cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161123 |
|
| RJ01 | Rejection of invention patent application after publication |